Massive iframe hack: The conclusions

Perception vs. Reality

It may seem that things are getting better and cyber-crime may be diminishing, but the evolution of hacking for profit will remain constant through the remainder of this year.

Data breaches are becoming a commonplace and corporate CIOs are focusing their attention towards protection of critical assets, especially external facing applications that are subject to a number of specialized attacks.

We have seen the explosion of high-profile hacks targeting external facing web applications and exploiting vulnerabilities to allow hackers to gain access to private and sensitive information.

These attacks are getting better and more sophisticated by the day. Some of these attacks are using complex SQL injection techniques to manipulate web-sites ranging from a simple insert of a malicious iframe tag to a complete compromise of a web server.

It’s interesting to see the number of web sites that are vulnerable to attacks and that such target sites can easily be found by searching for specific strings within Google (http://www.google.com/search?q=inurl:&#8221;.asp” inurl:”a=”) that will reveal if they are potentially exploitable. That’s exactly how the hackers automated a massive web hacking campaign that affected over a half million web-sites including the Department of Homeland Security and the United Nations web-sites.

A crafted SQL statement was used to compromise the web site and insert a malicious java script that untimely attempted to exploit several already known vulnerabilities within Microsoft Windows and install malware on visitors PCs. In other words the hackers found a way to generically infect hundreds of thousands of web-sites automatically using a similar statement.

According to the Identity Theft Resource Center (IRTC) the number of data breaches for 2008 has nearly exceeded the combined total of 2007; which obviously raises the question on why internal controls are failing to ensure the safety of critical assets in the time of a breach.